develop archivos de la lista de correo

[email protected]

Avatar

Report detailed about 3 bugs in your site : odoo.com // Security Vulnerability Notification| Important

por chabik hatim <[email protected]> - 10/01/2022 02:30:00
Hello Dear Sir, Good Morning

 I hope you are fine and in a good health you and your family

I hope that this new year 2022 will be all success, love and respect among your family, I wish you with all my heart good luck and a beautiful life.

I hope this message finds you well. I’m reaching out today because i found two bugs in your site : odoo.com

i'm hatim chabik student of physiotherapy and security researcher


i looking for bugs in my spare time to gain some money for my study

and i am here writing  this email to inform you that i found a bug on  your website

   *********************************************************************************************************
Bug  :  Open Redirect
Bug :  lack of security headers
Bug : Frameable response (potential Clickjacking)  

  ***********************************************************************************************************

Bug  :  Open Redirect


    ***************************************************************************************************

bug :  lack of security headers
  i notice lack of lots of security headers

1: Feature-Policy is not set: Feature Policy is a header that allows a site to control which features and APIs can be used in the browser
    https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy

2: The Referrer-Policy is not set: Referrer Policy is a new header that allows a site to control how much information the browser includes when navigating to an other website and should be set by all site.
    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

3: X-XSS-Protection" header is not set:  X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. Recommended value "X-XSS-Protection: 1; mode=block".
    https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

4: X-Frame-Options header missing:  X-Frame-Options tells the browser whether you want to allow your site to be used in i-frames or not. By preventing a browser from i-framing your site you can defend against attacks like clickjacking. Recommended value "X-Frame-Options: SAMEORIGIN"
     https://en.wikipedia.org/wiki/Clickjacking#X-Frame-Options

5:  The Content-Security-Policy is not set:  Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets
      https://en.wikipedia.org/wiki/Content_Security_Policy

6: X-Content-Type-Options header not set:  X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff"
    https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
  *************************************************************************************************************************************************

Bug : Frameable response (potential Clickjacking)

Host:   https://odoo.com

If a page fails to set an appropriate X-Frame-Options or Content-Security-Policy HTTP header, it might be possible for a page controlled by an attacker to load it within an iframe. This may enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery, and may result in unauthorized actions.

Note that some applications attempt to prevent these attacks from within the HTML page itself, using "framebusting" code. However, this type of defense is normally ineffective and can usually be circumvented by a skilled attacker.

You should determine whether any functions accessible within frameable pages can be used by application users to perform any sensitive actions within the application.
Issue remediation

To effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself. Note that the SAMEORIGIN header can be partially bypassed if the application itself can be made to frame untrusted websites.

________________________________________________________________________________________

I do this work to alert you of a bug in your website and fix bugs and make your site safer

I have experience in this field for more than 6 years, I have a lot of certificates in this field and my name is included in many sites in the hall of fame
It is possible if I wanted to work with you in finding many serious bug that negatively affect your site
And I am very happy to make your site safer,
i will be very happy if you accept a request to work together to make your site secure

Really desperately need a reward in these difficult circumstances  that the world is going through, to help myself with study requirements, this is the only job I work and earn money and this money I help myself in my study and my family .

I hope you can see my message and respond to me please
I need your response

only  help me and appreciate me for this work in your site to make your site safer

may i request you to  if it is possible  ? sir, I'll be very grateful to you .

i would be very happy if you reward me

if possible that my account paypal

PayPal : [email protected]

< Please ,  if you read my message please tell me,  so that i know you got it,  please let me know if you’re interested in this and as i am a security researcher, possible if you want to work together and discover more very important bugs  and dangerous for your site , to make your site more secure , i look forward to hearing from you >


Sincerely, best regards
    Hatim chabik
    security researcher
my account in twitter / https://twitter.com/H_chabik